part10-19

10.9.1 
National Security Information (NSI)

10.9.1.1 
(09-30-2008)
Purpose

  1. This IRM provides policy and guidance to be used by IRS personnel and organizations when handling national security information.
    It provides guidance to national security clearance holders on procedures for security and protection of national security
    information.

10.9.1.1.1 
(09-30-2008)
Overview

  1. It is the policy of the IRS to establish and manage a process for properly identifying and protecting National Security Information
    (NSI) within the Service. This IRM provides policy and guidance to be used by each office handling national security or “classified”
    information.

  2. It is the policy of the IRS to handle national security information in accordance with applicable laws, policies, and federal
    regulations. All national security information under the control of the IRS shall be protected and/or handled in accordance
    with its assigned national security level, to prevent the unauthorized disclosure and/or compromise of information.

10.9.1.1.2 
(09-30-2008)
Scope

  1. This IRM implements IRS minimum standards within the Service for classification, safeguarding, transmission, and destruction
    of classified information. It implements polices, and procedures for the protection of National Security Information (NSI),
    hereafter referred to as “classified information”
    , and procedures for reporting violations, loss or compromise of National Security Information.

  2. The term “classified information”
    means information that has been determined pursuant to Executive Order (E.O.) 12958, to require protection against unauthorized
    disclosure and marked to indicate its classified status when in paper, electronic, or other form.

  3. This IRM applies to all employees and their supervisors who have been authorized access to classified information. These persons
    are individually responsible for compliance.

  4. Exhibit 10.9.1-1 lists terms and definitions used in the National Security Information Program.

10.9.1.1.3 
(09-30-2008)
Authority

  1. Executive Order (E.O.) 12958, Classified National Security Information of April 17, 1995, as amended.

  2. E.O. 13292, Classified National Security Information of March 25, 2003, amendment to E.O. 12958.

  3. Information Security Oversight Office (ISOO) Directive No. 1, 32 Code of Federal Regulation (CFR) Parts 2001 and 2004 Classified
    National Security Information, dated September 22, 2003.

  4. Treasury Order (TO) 105-19, Delegation of Original and Derivative Classification Authority, dated August 26, 2004.

  5. Treasury Department Publication (TD P) 15-71, Department of the Treasury Security Manual, dated October 10, 2006.

  6. TD P 85-01, Treasury Information Technology Security Program, dated 12 June 03.

  7. TO 102-20, Delegation of Authority Concerning the Information Security Program, dated March 19, 1998.

  8. Department of Treasury Classification Guide, dated May 21 2008.

  9. IRM 10.8.1, Information Technology (IT) Security, dated March 3, 2008.

10.9.1.2 
(09-30-2008)
General Policy

  1. In accordance with Executive Order 12958, Classified National Security Information, as amended, the IRS shall develop, document,
    and implement a National Security Information (NSI) Program that identifies the classification and/or sensitivity of data,
    information, or materials, by establishing safeguards for, protecting, marking, handling, accounting, storing, sharing, reproducing,
    and destroying classified information.

  2. The IRS National Security Information Program shall:

    1. Assure the objectives of Executive Order 12958 by implementing policies, standards, and procedures consistent with Federal
      guidance.

    2. Assure adequate security is provided to all NSI under the control of the Service. This includes; accounting, handling, marking,
      storing, reproducing, sharing and destroying.

    3. Assure proper identification and reporting of possible violations and/or compromise of NSI.

    4. Assure individuals entrusted to handle NSI are properly trained and aware of their responsibilities when handling classified
      information.

10.9.1.2.1 
(09-30-2008)
Roles and Responsibilities

  1. Commissioner of Internal Revenue.

    1. The head of an agency that handles classified information is required by Section 5.6 of E.O. 12958 to:

      1. Demonstrate a personal commitment and commit senior management to the successful implementation of the national program established
        by E.O. 12958;

      2. Commit necessary resources to the effective implementation of the program;

      3. Designate a senior agency official (SAO) to direct and administer the program;

    2. Carry out the policies and procedures set forth in TD P 15-71.

  2. Director, Agency-Wide Shared Services is designated the SAO for the Service. SAO duties include:

    1. Overseeing the Services information security program established by E.O. 12958, E.O. 12968 and TD P 15-71;

    2. Designating an Information Security Manager;

    3. Promulgating implementing directives and regulations;

    4. Establishing and maintaining information security education and training programs;

    5. Service-wide classification management.

    6. Establishing and maintaining an ongoing self-inspection program, which shall include periodic review and assessment of the
      Services classification product;

    7. Establishing procedures to prevent unnecessary access to classified information, including ensuring procedures requiring a
      need for access to classified information are established before initiating administrative clearance procedures, and ensure
      that the number of persons granted access to classified information is limited to the minimum consistent with operational
      and security requirements and needs;

    8. Developing special contingency plans for the safeguarding of classified information used in or near hostile or potentially
      hostile areas;

    9. Approving requests on behalf of the Commissioner from Service officials for derivative classification authority;

    10. Assuring that the performance contract or other system used to rate personnel performance includes the management of classified
      information as a critical element or item to be evaluated in the rating of original classification authorities, security managers
      or security specialists, and all others whose duties significantly involve the creation or handling of classified information;

    11. Accounting for the costs associated with the implementation of E.O. 12958;

    12. Assigning in a prompt manner Service personnel to respond to any request, appeal, challenge, complaint, or suggestion arising
      out of E.O. 12958 that pertains to classified information that originated in a component of the Service that no longer exists
      and for which there is no clear successor in function;

    13. Taking appropriate and prompt corrective action when a violation or infraction occurs;

    14. Directing and administering the Services information security program under which information is classified, safeguarded,
      and declassified. This program implements E.O.s, public law, and directives issued by Treasury, the National Security Agency,
      and other agencies regarding the protection of classified information.

    15. Managing the Communications Security (COMSEC) program that secures classified information.

  3. Director, Physical Security and Emergency Preparedness (PSEP), manages and administers the Services information security
    program for the SAO. The Directors responsibilities Include:

    1. Formulating Service policy and procedures, issuing directives, and monitoring, inspecting, and reporting on the status of
      administration of the information security program in the Service;

    2. Implementing an industrial security program within the Service;

    3. Serving as the Services primary information security program official and liaison with Department of the Treasury and other
      Federal agencies;

    4. Coordinating and performing program audits and reviews.

  4. Operating Division Commissioners, Regional Commissioners, District Directors, Service Center Directors, Regional Counsels,
    National Office Division Director, and Computing Center Directors are responsible for the effective management of classified
    information within their organizations. Effective management includes:

    1. Designating in writing Classified Document Custodians (CDC) at facilities storing and handling classified information. CDCs
      are the primary persons involved in protecting classified information;

    2. Ensuring that CDCs are trained and provided the appropriate resources to protect classified information;

    3. Issuing local security instructions and procedures;

    4. Ensuring CDCs conduct self-inspections;

    5. If Top Secret information is held by the organization, appointing, in writing, a Top Secret Control Officer (TSCO).

      Note:

      CDC and TSCO duties may be assigned to the same person.

  5. CDCs and other holders of classified NSI.

    1. Ensuring that access to classified information is limited to appropriately cleared personnel with a need-to-know;

    2. Ensuring that classified information is classified, safeguarded, transmitted and destroyed per this IRM;

    3. Reporting the loss or compromise of classified information.

10.9.1.3 
(09-30-2008)
Classification of National Security Information

  1. Information may be classified Top Secret, Secret, or Confidential only under the terms of E.O. 12958, as amended, its predecessor
    orders, and implementing directives.

  2. TD P 15-71, Sections 5 and 6, Chapter III, set forth uniform standards for marking classified information within Treasury
    and its bureaus.

10.9.1.3.1 
(09-30-2008)
Classification Levels

  1. NSI is classified at one of the following three levels:

    1. “TOP SECRET”
      is applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave
      damage to the national security that the original classification authority is able to identify or describe.

    2. “SECRET”
      is applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to
      the national security that the original classification authority is able to identify or describe.

    3. “CONFIDENTIAL”
      is applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national
      security that the original classification authority is able to identify or describe.

      Note:

      Per E.O. 12958 no other terms shall be used to identify United States classified information, except as otherwise provided
      by statute.

10.9.1.3.2 
(09-30-2008)
Classification Authority

  1. The authority to classify information is either original or derivative. TO 105-19 delegates original and derivative classification
    authority to certain Treasury and bureau officials. Within the IRS, the authority to classify NSI is limited to derivative
    classification.

10.9.1.3.2.1 
(09-30-2008)
Original Classification Authority

  1. Original classification is the initial decision that an item of information could be expected to cause damage to national
    security. Within the Department of the Treasury, this decision may only be made by an Original Classification Authority (OCA).

  2. The IRS has not been delegated OCA authority.

  3. Requests for OCA may be submitted in writing to the Service SAO. Each request must identify:

    1. The prospective OCAs position or title, organization; and

    2. Justification for OCA.

  4. OCA is granted when:

    1. Original classification is required during the normal course of business;

    2. Sufficient expertise and information is available to the prospective OCA to permit effective classification decisions;

    3. The need for original classification cannot be eliminated by issuance of classification guidance by existing OCAs; and

    4. Approved by Treasury.

10.9.1.3.2.2 
(09-30-2008)
Derivative Classification Authority

  1. Derivative classification is the incorporating, paraphrasing, restating or generating in new form information that is already
    classified, and marking the newly developed material consistent with the classification markings that apply to the source
    information. Derivative classification includes the classification of information based on classification guidance.

  2. Any IRS employee with a security clearance may derivatively classify National Security Information (at the Top Secret, Secret
    or Confidential level) up to the level of their clearance.

  3. In order to derivatively classify, an employee must possess a properly authorized security clearance, have the means to properly
    safeguard classified information, have access to specifically approved equipment for properly processing classified information,
    and have been briefed on requirements for properly safeguarding classified information.

  4. Duplication or reproduction of existing classified information is not derivative classification. Persons who only reproduce,
    extract, or summarize classified information in new form, or who only apply classification markings derived from source material
    or as directed by a classification guide, need not possess original classification authority. Derivative classifiers shall:

    1. Observe and respect original classification decisions;

    2. Carry forward to any newly created documents the pertinent classification marking;

    3. For information derivatively classified based on multiple sources, the derivative classifier shall carry forward:

      1. The date or event for declassification that corresponds to the longest period of classification among sources; and

      2. A listing of these sources on or attached to the official file or record copy.

    4. Report to the SAO that a new derivatively classified document has been formed.

      Note:

      When there is reasonable doubt about the need to classify information, the information shall be safeguarded as if it were
      at least Confidential, pending a determination by an OCA. If such determination affirms the initial protection, the information
      will be marked to reflect its final classified status. Whenever a determination results in a decision by an OCA that the information
      does not warrant classification, the tentative “CONFIDENTIAL”
      markings will be removed. The decision of the OCA shall be final.

10.9.1.3.3 
(09-30-2008)
Prohibitions and Limitations on Classification

  1. In no case shall information be classified in order to:

    1. Conceal violations of law, inefficiency, or administrative error;

    2. Prevent embarrassment to a person, organization, or agency;

    3. Restrain competition; or

    4. Prevent or delay the release of information that does not require protection in the interests of national security.

  2. Basic scientific research not related to the national defense may not be classified.

  3. Information may not be reclassified after it has been declassified and released to the public under proper authority.

  4. Information that has not previously been disclosed to the public under proper authority may be classified or reclassified
    after an agency has received a request for it under the Freedom of Information Act (5 USC 552) or the Privacy Act of 1974
    (5 USC 552a), or the mandatory review under the provisions of E.O. 12958, section 3.6, as amended, only if such classification
    meets requirements of E.O. 12958 and is accomplished on a document-by-document basis with the personal participation of the
    Service SAO. Final approval rests with the Secretary of the Treasury, the Deputy Secretary, or Treasurys SAO. This provision
    does not apply to classified information contained in records that are more than 25 years old and have been determined to
    have permanent historical value under title 44 USC.

  5. Compilations of items of information which are individually unclassified may be classified if the compiled information reveals
    an additional association or relationship that:

    1. Meets the standards for classification under E.O. 12958, as amended, and;

    2. Is not otherwise revealed in the individual items of information.

10.9.1.3.4 
(09-30-2008)
Classification Challenges

  1. Authorized holders of classified information, who in good faith believe that classified information is improperly classified,
    are encouraged and expected to challenge the classification status of the information per the procedures that follow. Persons
    challenging the classification of information are assured that:

    1. They will not be subject to retribution for bringing the challenge;

    2. The challenge will be conducted impartially by the Service SAO; and

    3. If the challenge is denied by the SAO, the challenger has the right to appeal the SAOs decision to the Interagency Security
      Classification Appeals Panel established by E.O. 12958, section 5.4, as amended.

  2. When reason exists to believe information is improperly classified, the person challenging will request that the SAO conduct
    a review of the information. The request will be in writing and should include the following data:

    1. A sufficient description of the information, its classification, its original or derivative classifiers (if known), and

    2. The reason or reasons the information is believed to be improperly classified.

      Note:

      Classified information should not be included in the request. If the request contains classified information, the request
      must be safeguarded per this IRM.

  3. The SAO will complete the review within 45 days, and report the results of the review in writing to the challenger.

  4. If the SAO is unable to resolve the issue to the satisfaction of the challenger, the challenger may appeal the SAOs decision
    to the Interagency Security Classification Appeals Panel in coordination with the Department of the Treasury.

  5. While undergoing challenge, the classified information in question shall be safeguarded as required by this IRM until a final
    decision is reached.

10.9.1.3.5 
(09-30-2008)
Authority to Downgrade, Declassify, or Modify Classified Information

  1. The officials authorized to downgrade, declassify, or modify an original classification with a resulting change in the classification
    guidance for classified Treasury information are:

    1. The Treasury Secretary with respect to all information which Treasury exercises final classification authority;

    2. The Treasury OCA who authorized the original classification or the OCAs successor in function.

  2. The authority to downgrade, declassify, or modify is not to be confused with the responsibility of an authorized holder of
    classified information to downgrade, declassify, or modify it as directed by classification guidance of the OCA.

10.9.1.3.6 
(09-30-2008)
Declassification of National Security Information

10.9.1.3.6.1 
(09-30-2008)
Automatic Declassification

  1. Automatic Declassification occurs:

    1. At the occurrence of a specific date or event as determined by an OCA; or

    2. At the expiration of a maximum time frame for the duration of classification established by E.O. 12958, as amended.

    Note:

    Specific dates or events as determined by an OCA can be found in classification legends on the first page of classified information
    or in classification guides.

  2. E.O. 12958, as amended, establishes procedures for automatic declassification of information in permanently-valuable records
    25 years from the date of original classification. The Service SAO is responsible for implementing Service procedures for
    automatic declassification of classified service records that are 25 years old or older.

10.9.1.3.6.2 
(09-30-2008)
Systematic Declassification

  1. Systematic declassification is the review for declassification of classified information contained in records that have been
    determined by the Archivist of the U.S. to have permanent historical value. The Service SAO is responsible for identifying
    to the Archivist of the U.S. classified Service information which is 25 years old and older and which requires continued protection.
    This includes permanently-valuable records exempted from automatic declassification under E.O.12958, section 3.4, as amended.

10.9.1.3.6.3 
(09-30-2008)
Mandatory Declassification Review

  1. Mandatory declassification requests will be processed as follows:

    1. Recipient of request forwards request to SAO;

    2. SAO sends requester a letter acknowledging receipt of the request, explaining the review process and time lines, and providing
      a point of contact;

    3. SAO completes the review within 45 days; and

    4. SAO notifies requester of results.

      Note:

      If no determination is made or a determination is unfavorable to the requester, SAO notification will include the requesters
      right to appeal via the SAO and Treasury to the interagency Security Classification Appeals Panel.

10.9.1.4 
(09-30-2008)
Safeguarding National Security Information

  1. Classified information regardless of its form shall be afforded a level of protection against unauthorized disclosure commensurate
    with its level of classification.

  2. Any organizational element within the Service that has custody of or handles classified information shall:

    1. Appoint in writing a primary and alternate Classified Document Custodian (CDC). The CDC and alternate will have a security
      clearance equivalent to the highest level of classified information in their custody. Exhibit 10.9.1-1 lists the duties and
      responsibilities of a CDC;

    2. By October 1 of each year forward a copy of the written appointment to the SAO;

    3. Refer any matter pertaining to the implementation of this IRM to the SAO.

  3. Authorized persons who have access to classified information are responsible for:

    1. Protecting it from persons who are not authorized access, to include securing it in approved equipment and facilities whenever
      it is not under the direct control of an authorized person;

    2. Meeting the safeguarding requirements prescribed by this IRM;

    3. Ensuring that classified information is not communicated over unsecured voice or data circuits, in public conveyances or places,
      or in any other manner that permits interception by unauthorized persons.

  4. Classified information will be processed only in Service facilities, on accredited information systems, and under conditions
    which prevent unauthorized persons from gaining access.

  5. Classified information is the property of the U.S. Government and not personal property.

  6. Classified North Atlantic Treaty Organization (NATO) information and other foreign government information may not be held
    by any Service organizational element unless coordination is made with the SAO. NATO information shall be safeguarded in compliance
    with the U.S. Security Authority of NATO Instructions.

10.9.1.5 
(09-30-2008)
Access to Classified Information

  1. Per E.O. 12968, as amended, no employee shall be granted access to classified information unless that employee has been determined
    eligible in accordance with the E.O. and has the need-to-know.

    1. An employee is considered eligible for access to a particular level of classified information when the employee possesses
      a security clearance at that particular level (or higher level).

    2. Need-to-know is a determination made by an authorized holder of classified information that a prospective recipient requires
      access to specific classified information in order to perform or assist in a lawful and authorized government purpose.

  2. No employee shall be deemed to be eligible for access to classified information merely by reason of Federal service or contracting,
    licensee, certificate holder, or grantee status, or as a matter of right or privilege, or as a result of any particular title,
    rank, position, or affiliation.

  3. IRM 10.23, Personnel Security, contains procedures for requesting security clearances of employees. The Personnel Security
    Office website is also a good source for this information and can be found at: http://awss.web.irs.gov/PersonnelSecurity/index.html

  4. Holders of classified information are responsible for verifying security clearances of employees. Verification will be accomplished
    as follows:

    1. For IRS employees, contact the Personnel Security Office

    2. For visitors see Exhibit 10.9.1-2.

10.9.1.6 
(09-30-2008)
Standards for Security Equipment

  1. Security equipment used for secure storage or destruction of classified material will conform to standards specified by the
    General Services Administration (GSA). Whenever new security equipment is procured, it shall conform to GSA standards and
    to the maximum extent possible be of the type available through the Federal Supply System.

  2. GSA-approved field safes and special purpose one and two drawer light-weight security containers which are intended primarily
    for storage of classified information in situations where normal storage of classified information is not feasible. If used
    in normal storage situations, these security containers will be securely fastened to a structure to render them non-portable
    and keep them under constant surveillance to prevent their theft.

10.9.1.7 
(09-30-2008)
Storing Classified Information

  1. Classified information shall be stored only under conditions designed to deter and detect unauthorized access to the information.
    Storage at overseas locations shall be at U.S. Government controlled facilities.

  2. External marking of security containers shall not reveal the level of information stored within them.

  3. Weapons, jewelry, or narcotics shall not be stored in security containers used to store classified information.

  4. Classified information not under the personal control or observation of an appropriately cleared person shall be guarded by
    an appropriately cleared guard or stored in a locked GSA-approved security container, vault, or open storage area.

10.9.1.7.1 
(09-30-2008)
Storing Top Secret Information

  1. Top Secret may be stored in a GSA-approved security container with one of the following supplemental controls:

    1. Continuous protection by cleared guard or duty personnel;

    2. Inspection of the security container every two hours by cleared guard or duty personnel;

    3. An intrusion detection system (IDS) with personnel responding to the alarm within 15 minutes of the alarm annunciation; or

    4. Security-In-Depth, or layered security, providing the GSA-approved container is equipped with a lock meeting Federal Specification
      FF-L-2740.

  2. Top Secret may also be stored in a secured open storage area, i.e., Sensitive Compartmentalize Information Facility (SCIF)
    equipped with IDS, with personnel physically responding to the alarm within 15 minutes of the alarm annunciation if the area
    is covered by Security-In-Depth or a five minute physical alarm response if it is not.

  3. Top Secret may also be stored in an IDS-equipped vault with the personnel responding to the alarm arriving within 15 minutes
    of the alarm annunciation.

10.9.1.7.2 
(09-30-2008)
Storing Secret Information

  1. Secret information shall be stored in the same manner for Top Secret Information, or

  2. In a GSA approved security container or vault without supplemental controls; or

  3. Until October 1, 2012, in a non-GSA approved container having a built in combination lock or in an non-GSA approved container
    secured with a rigid metal lock-bar and padlock approved by Treasury OSP, or in an open storage area. In either case, one
    of the following supplemental controls is required:

    1. The location that houses the container or open storage area shall be subject to continuous protection by cleared guard or
      duty personnel;

    2. Cleared guard or duty personnel shall inspect the security container or open storage area once every four hours; or

    3. A Service approved IDS with personnel responding to the alarm arriving within 30 minutes of the alarm annunciation.

      Note:

      In addition to the supplemental controls listed above, security-in-depth as determined by the SAO is required as part of the
      supplemental controls for non-GSA approved container or open storage area storing Secret information.

10.9.1.7.3 
(09-30-2008)
Storing Confidential Information

  1. Confidential information shall be stored in the same manner as prescribed for Top Secret or Secret information except that
    supplemental controls are not required.

10.9.1.8 
(09-30-2008)
Use and Maintenance of dial-type and other changeable combination locks

  1. When equipment is in service, the classification of the combination shall be the same as the highest level of classified information
    that is protected by the lock. Standard Form (SF) 700, Security Container Information, will be used to record security container
    data. It will be marked and safeguarded per the highest classification level of the information protected by the lock. Combinations
    to dial-type locks shall be changed only by persons with a security clearance at the level of information being protected
    unless other sufficient controls exist to prevent access to the lock or knowledge of the combination.

  2. Combinations shall be changed under the following conditions:

    1. Whenever such equipment is put into use;

    2. Whenever a person knowing the combination no longer requires access to it unless other sufficient controls exist to prevent
      access to the lock;

    3. Whenever a combination has been subject to possible compromise, actual compromise, or unauthorized disclosure;

    4. When the equipment is taken out of service; or

    5. At least once every three years, unless conditions dictate sooner.

  3. When equipment is placed in an “out of service”
    status, it shall be inspected to ensure that no classified information remains inside of it, and the built-in combination
    will be reset to the manufacturers standard combination, 50-25-50 or 10-20-30.

10.9.1.8.1 
(09-30-2008)
Key operated locks

  1. When key operated locks are used to secure classified information, the keys shall be protected to the highest classification
    level of the information being protected.

10.9.1.9 
(09-30-2008)
Controlling Classified Information

  1. When removed from secure storage, classified information will be covered with SF Forms 703 (“Orange”
    Top Secret Cover Sheet), 704 (“Red”
    Secret Cover Sheet), or 705 (“Blue”
    Confidential Cover Sheet), and kept under constant surveillance by authorized persons.

  2. Automated information system media used for processing or storing classified information in mixed working environment (i.e.,
    classified and unclassified) will be marked with SF 706 (“Orange”
    Top secret Label), 707 (“Red”
    Secret Label), 708 (“Blue”
    Confidential Label), 709 (“Purple”
    Classified but level pending Label), 710 (“Green”
    Unclassified Label), or 711 (“White”
    Data Descriptor Label).

    1. In locations where only unclassified information is processed or stored, the use of the green “unclassified”
      label (SF 710) is optional. However, in environments in which classified and unclassified information is processed or
      stored, the “unclassified”
      label must be used to positively identify removable IT media authorized for unclassified use only. Each of these labels
      is available via national stock number through normal Federal supply channels.

  3. Classified working papers and items will be protected according to their security classification level. They will be immediately
    destroyed when no longer needed.

  4. Classification discussions shall not be conducted with or in the presence of unauthorized persons.

10.9.1.9.1 
(09-30-2008)
End of Day Security Control Measures

  1. End-of-day security checks shall be conducted in areas that handle, process, or store classified information. The SF 701,
    Activity Security Checklist, shall be used to document the end-of-day check.

  2. When securing or checking a security container, rotate the dial of combination locks at least four complete turns in the same
    direction, and check each drawer. This prevents the possibility of someone being able to open the lock by merely turning the
    dial back to its opening position.

10.9.1.9.2 
(09-30-2008)
Top Secret Control Measures

  1. Organizations that handle or store Top Secret (TS) classified information shall designate a Top Secret Control Officer (TSCO).
    The CDC may serve concurrently as the TSCO.

  2. TSCO qualifications:

    1. A Top Secret Clearance

    2. Federal employee

    3. A U.S. citizen

  3. TSCO duties:

    1. Maintain a system of Top Secret accountability to record the receipt, reproduction, transfer, transmission, downgrading, declassification,
      and destruction of Top Secret information in accordance with TD P 15-71, Chapter III, Section 15, Paragraph 5.

    2. Inventory Top Secret information at least once per year and report inventory results to the SAO.

10.9.1.9.3 
(09-30-2008)
Secret Control Measures

  1. CDCs shall establish administrative procedures for the control of Secret information appropriate to their local environment,
    based an on assessment of the threat, location, and mission of their organization. These procedures shall be used to protect
    Secret information from unauthorized disclosure by access control and compliance with the marking, storage, transmission,
    and destruction requirements of this IRM.

10.9.1.9.4 
(09-30-2008)
Confidential Control Measures

  1. CDCs shall establish administrative procedures for the control of Confidential information appropriate to their local environment,
    based an on assessment of the threat, location, and mission of their organization. These procedures shall be used to protect
    Confidential information from unauthorized disclosure by access control and compliance with the marking, storage, transmission,
    and destruction requirements of this IRM.

10.9.1.10 
(09-30-2008)
Reproduction Classified Information

  1. Reproduction of classified information shall be held to the minimum consistent with operational requirements.

    1. Reproduction shall be accomplished by cleared authorized persons knowledgeable of the procedures for classified reproduction
      on approved classified reproduction machines labeled as such that indicate any restrictive caveats with respect to the reproduction
      of classified information.

    2. Reproducing Top Secret information requires approval of the originator. Secret and Confidential have no such restriction except
      that it should only be accomplished as needed for operational efficiency.

    3. Copies of classified information shall be subject to the same controls as the original information.

      Note:

      Use of technology that prevents, discourages, or detects unauthorized reproduction of classified information is encouraged.

10.9.1.11 
(09-30-2008)
Transmission of Classified Information

  1. Classified information shall be transmitted and received in an authorized manner which ensures that evidence of tampering
    can be detected, that inadvertent access can be precluded, and in a manner that provides a method which assures timely delivery
    to the intended recipient. Persons transmitting classified information are responsible for ensuring that intended recipients
    are authorized persons with the capability to store classified information in accordance with this IRM.

  2. All classified information physically transmitted outside of government facilities shall be enclosed in two opaque wrappers/envelopes.
    Both wrappers shall provide reasonable evidence of tampering and shall conceal the contents. The inner wrapper shall clearly
    identify the address of both the sender and the intended recipient, the highest classification level of the contents, and
    any appropriate warning notices. The outer enclosure shall be the same except that no classification markings that would indicate
    the contents shall be visible. Intended recipients shall be identified by name only as part of an attention line. The following
    exceptions apply:

    1. If the classified information is an internal component of a packable item of equipment, the outside shell or body may be considered
      as the inner enclosure provided it does not reveal classified information;

    2. If the classified information is an inaccessible internal component of a bulky item of equipment, the outside body of the
      item may be considered to be a sufficient enclosure provided observation of it does not reveal classified information;

    3. If classified information is an item of equipment that is not reasonably packable and the shell or body is classified, it
      shall be concealed with an opaque enclosure that will hide all classified features;

    4. Specialized shipping containers, including closed cargo transporters or diplomatic pouch may be considered the outer enclosure
      when used; and

    5. When classified information is hand-carried outside a facility, a locked briefcase may serve as the outer enclosure.

  3. Couriers and authorized persons designated to hand-carry classified information shall ensure that the information remains
    under their constant and continuous protection and that direct point-to-point delivery is made. As an exception the SAO may
    approve, as a substitute for a courier on direct flights, the use of specialized shipping containers that are of sufficient
    construction to provide evidence of forced entry, are secure with a high security padlock, are equipped with an electronic
    seal that would provide evidence of surreptitious entry and are handled by the carrier in a manner to ensure that the container
    is protected until its delivery is completed.

10.9.1.11.1 
(09-30-2008)
Transmission of Top Secret Information

  1. Transmission of Top Secret information between the U.S., Puerto Rico, or a U.S. possession or trust territory shall be by:

    1. Direct person-to-person contact between cleared employees;

    2. State Department diplomatic pouch, The Defense Courier Service, or an authorized government agency courier service;

    3. A designated Service courier or escort with Top Secret Clearance;

    4. Electronic means over approved communications systems.

      Note:

      Under no circumstances will Top Secret information be transmitted via the U.S. Postal Service or other commercial messenger
      service.

10.9.1.11.2 
(09-30-2008)
Transmission of Secret Information

  1. Secret information shall be transmitted by:

    1. Any of the methods established for Top Secret;

    2. U.S. Postal Service Express Mail or U.S. Postal Service Registered Mail, but the Waiver of Signature and Indemnity block,
      item 11-B, on the U.S. Postal Service Express Mail Label shall not be completed;

    3. Cleared commercial carriers or cleared commercial messenger services.

      Note:

      The use of street-side mail collection boxes is strictly prohibited for classified materials.

10.9.1.11.3 
(09-30-2008)
Transmission of Confidential Information

  1. Confidential information shall be transmitted by any of the methods established for Secret information.

10.9.1.11.4 
(09-30-2008)
Transmission to a U.S. Government facility located outside the U.S.

  1. The transmission of classified information to a U.S. Government facility located outside the 50 states, the District of Columbia,
    the Commonwealth of Puerto Rico, or a U.S. possession or trust territory, shall be by methods specified above. United States
    Postal Service through Military Postal Service facilities may be used to transmit Secret and Confidential information provided
    the information does not, at any time, pass out of U.S. citizen control nor pass through a foreign postal system.

10.9.1.11.5 
(09-30-2008)
Transmission of Classified Information to Foreign Governments

  1. Transmission of classified information to foreign governments shall take place between designated government representatives
    using the transmission methods described above. When classified information is transferred to a foreign government or its
    representative, a signed receipt is required.

10.9.1.11.6 
(09-30-2008)
Receipts for Transmissions of Classified Information

  1. For accountability purposes, Treasury Department Form (TD F) 15-05.8, Receipt for Classified Information, shall be used to
    account for classified information received or transmitted.

10.9.1.12 
(09-30-2008)
Destruction of Classified Information

  1. Classified information that is no longer required for operational purposes will be destroyed by authorized means and appropriately
    cleared personnel. The means for destruction shall ensure complete destruction to preclude recognition or reconstruction of
    the classified information.

  2. The preferred method for destroying classified paper is by cross-cut shredding. Destruction of classified paper media shall
    be performed using one of the high-security cross-cut shredders listed on the National Security Agency (NSA), Central Security
    Service (CSS) evaluated products list. Dispose of the residue in several waste baskets, bins, or receptacles. The shredded
    paper should be distributed as such because the shredding process itself is not the final disposition. The shredded paper
    is still disposed of in some manner depending upon the location and the mode of waste removal that is used in each facility.
    Other methods for destroying classified paper must be approved by the SAO.

  3. COMSEC information will be destroyed by means approved by the SAO.

  4. Technical guidance concerning appropriate methods, equipment, and standards for the destruction of classified electronic media
    and processing equipment components will be obtained by submitting pertinent information to the National Security Agency/Central
    Security Service, Directorate for Information Systems Security, Fort Meade, MD 20755. Specifications concerning appropriate
    equipment and standards for the destruction of other storage media will be obtained from GSA.

  5. Classified information that cannot be destroyed shall be reevaluated and, when appropriate, downgraded, declassified, or retired
    to a designated record center.

10.9.1.13 
(09-30-2008)
Telecommunications, Automated Information Systems, and Network Security

  1. The automated information systems and networks used to process and store classified information shall be accredited. The SAO
    is the Designated Accrediting Authority for any automated information system or network that process classified information.

  2. Classified telephone and data transmissions shall be permitted only over secure telecommunications approved by the National
    Security Agency for the classification level of the information being transmitted. Secure telecommunications can be procured
    through the SAO.

10.9.1.14 
(09-30-2008)
Security Violations, Loss or Compromise of Classified Information

  1. Violations, loss, or compromise of classified information presents a threat to the national security. Reports of violations,
    loss, or compromise ensure that such incidents are properly investigated and that necessary actions are taken to negate or
    minimize the adverse affects of the incident and to preclude recurrence.

  2. A security violation is the failure to provide a level of protection for classified national security information, as defined
    in E.O. 12958, as amended, that would prevent unauthorized disclosure. There are three types of security violations:

    1. Administrative discrepancies. These are infractions of security policies or procedures that do not result in a loss, compromise
      or possible compromise of classified information.

    2. Loss or possible compromise. A loss or possible compromise is when classified information is not under the control of an authorized
      user or in proper storage. A loss of classified information also occurs when it cannot be physically located or accounted
      for.

    3. Compromise. A compromise occurs when classified information is disclosed to someone who is not authorized to receive it, e.g.,
      disclosure of information to a person or persons who do not have valid security clearances or need to know.

  3. The overriding concern in incidents involving the loss, compromise, or possible compromise of classified information is to
    regain control of the information and protect it in a manner appropriate to its classification.

10.9.1.14.1 
(09-30-2008)
Personnel Responsibilities

  1. Any person who has knowledge that classified information has been or may have been lost, possibly compromised or disclosed
    to an unauthorized person(s) shall:

    1. Where applicable, take custody of the information and safeguard it in an appropriate manner.

    2. Immediately report the circumstances to the CDC for the material. The CDC will conduct an inquiry of the incident per TD P
      15-70, Chapter III, Section 19, and report the results of the inquiry, within 3 working days, to the Service SAO.

      Note:

      If the individual discovering the violation, loss, or compromise believes the CDC may be involved in the incident, he/she
      should notify his/her manager, the SAO, Information Security Manager, Physical Security or TIGTA.

  2. The SAO shall take appropriate action per TD P 15-70, Chapter III, Section 19.

10.9.1.14.2 
(09-30-2008)
CDC Responsibilities

  1. Within 3 working days of being notified, the CDC will complete Part I of TD F 15-05.6, Department of the Treasury Record of
    Security Violation, and forward the form to the SAO, Exhibit 10.9.1-4.

  2. Exhibit 10.9.1-5 lists the information that is required to be completed in the record of security violation form.

10.9.1.15 
(09-30-2008)
Treasury Policy

  1. An individual at any level of employment, including contractor employees under the National Industrial Security Program, determined
    to have been responsible for the unauthorized release or disclosure, or potential release or disclosure, of classified information,
    either knowingly, willfully or through negligence, shall be notified on TD F 71-21.1 (Record of Security Violation) that his
    or her action is in violation of E.O. 12958, as amended, or other applicable Treasury or bureau regulation.

  2. Primary responsibility for the protection of classified information from possible unauthorized disclosure rests with each
    individual having knowledge of or physical custody of the information. Ultimate responsibility may reside with the supervisor
    to the same degree that he or she is charged with the functional responsibility for the organizational unit. In certain instances,
    when it is impossible to determine the individual responsible for the security violation, the supervisor of the organizational
    entity involved may be held accountable.

  3. Repeated or serious abuse of the classification process, either by unnecessary or over classification or repeated failure,
    neglect or disregard for requirements for safeguarding classified information by an employee, whether deliberately through
    negligence or involving a pattern of carelessness, may be grounds for adverse or disciplinary action.

  4. Any security violation possibly involving an infraction of Federal criminal laws or a senior Treasury or IRS official shall
    be forwarded by the SAO to the Director, Treasury Office of Security and concurrently to the Treasury Inspector General for
    Tax Administration (TIGTA). The Director of Physical Security and Emergency Preparedness shall confer with TIGTA regarding
    such violations. If additional investigation is deemed appropriate, TIGTA will determine who will conduct the investigation.
    Concurrent notification will be made to the Personnel Security Office to determine if suspension or revocation of access to
    classified information is appropriate.

Exhibit 10.9.1-1 
(02-21-2001)
Classified Document Custodian (CDC), Duties and Responsibilities

Serve as the principle advisor to the appointing official and supervisor in matters pertaining to security of classified information.

Ensure that access to classified information is limited to cleared personnel with a need-to-know

Develop local operating procedures pertaining to how

  1. Personnel security clearances and need-to-know will be verified;

  2. Classified information will be protected when removed from secure storage;

  3. Classified information will be carried in and out the Service facility;

  4. End-of-day and after hours security checks will be conducted;

  5. Classified information is accounted for;

  6. Combinations to security containers will be stored;

  7. Classified meetings will be conducted;

  8. Classified information will be transmitted out of the facility;

  9. Classified information will be destroyed;

  10. Classified visits to the facility will be conducted to include procedure for verifying security clearances of visitors;

  11. Classified information will be reproduced;

  12. Classified information will be prepared or processed on automated information systems;

  13. Classified telephone conversations will be protected, i.e., use of Secure Telephone Units (STU) or Secure Terminal Equipment
    (STE);

  14. Combinations to security containers, vaults, or open storage areas are changed;

Report loss, compromise, or possible compromise of classified material, per reporting procedure of this handbook, to supervisor
and to the SAO.

Conducting self inspections per instructions developed by the SAO.

Exhibit 10.9.1-2 
(02-21-2001)
Visitor Procedures

For the purposes of this IRM, a visitor is any employee whose security clearance cannot be verified by the National Background
Investigation Center.

CDCs and their supervisors are responsible for ensuring that only visitors with an appropriate level of security clearance
and need-to-know are granted access to classified information.

The visit request is a procedure designed to ensure that visitors have security clearances and need-to-know.

Visit requests will include the following information:

  1. Name and address of agency sponsoring the visit;

  2. Full name, date and place of birth, social security number, title, position and citizenship of proposed visitor;

  3. Name of person to be visited;

  4. Purpose and justification for visit;

  5. Certification of visitors personnel security clearance, i.e., Top Secret, Secret, Confidential.

  6. Date or period for visit;

  7. Point of contact at the sponsoring agency to include contact data, i.e., phone number, fax number, and E-mail address.

    Note:

    Visit requests from U.S. contractors must also include the contractors Commercial and Government Entity (CAGE) code and certification
    of the level of the Facility Clearance (FCL). FCLs are Top Secret, Secret, or Confidential.

Visit requests are not required for employees of the Executive Branch who are U.S. citizens when

  1. There is an established working relationship, and

  2. The clearance level and the bounds of need-to-know of the government employee are known.

    Note:

    The holder of the classified information, not the visitor, decides whether or not a visit request is needed.

Visit requests should be submitted in advance of the proposed visit in sufficient time for local processing and to make a
determination as to whether or not the visitor will be granted access. Facsimile and E-mail requests are acceptable.

Time sensitive requests may be accepted by telephone, but must be confirmed promptly by facsimile or E-mail.

Movements of visitors, who will be granted access to classified information, must be controlled to ensure that their access
is consistent with the purpose of the visit. If a visitor is escorted, the escort must have a security clearance.

Exhibit 10.9.1-3 
(09-30-2008)
TD F 15-05.8, Receipt for Classified Information

DEPARTMENT OF THE TREASURY
Receipt for Classified Information
(Inclusion of classified information should be avoided)
Prepare in accordance with the Treasury Secretary Security Manual (type or print in ink) Date:
Section A – Address and Sender
TO:

 FROM:  
Section B – Document Description (including document details)
Classification
(TS, S, C) 		Description – Identify items such as report, letter, or memo. Unclassified subject or short title, copy and number of attachments,
etc.

 Originating Agency/Dept.
Section C – Acknowledgment of Receipt
Name Signature Date    
Section D – Record of Internal Transmittal
Recipient Name
1.
2.
3.
4.
5. 		Recipient Signature Date
Section E – Acknowledgment of Destruction
Destroyed by: Signature Date    
Witnessed by: Witness Signature Date    
TD F 15-05.8 (Revised 07/05). Previous versions usable until depleted Return original copy to sender

Exhibit 10.9.1-4 
(09-30-2008)
Department of the Treasury Record of Security Violation

DEPARTMENT OF THE TREASURY
RECORD OF SECURITY VIOLATION
Part 1 (To Be Executed By Reporting Official)
Violation Discovered By: Date: Time: Highest Classification Involved:
Building: Room Number: Office/Division: Phone Number: Station Number:
Subject of Reported Violation
Unsecured Security Container
Classified Document(s) Unsecured
Improper Transmission
Unsecured Barlock Cabinet
Classified In Waste Receptacle 		  Classified COMSEC
Unsecured Vault/Secure Room
Classified Burnbag Unsecured
Other (Use Narrative)
Security Container Check Sheet – Standard Form (SF) 702
SF 702 displayed?
All Columns used?
OPEN/CLOSED Sign? 		Security Container/Cabinet Number:

Date of last SF 702 entry:

Narrative Description of Violation: (use reverse if necessary)

Name and Title of Reporting Official (type or print) Signature Date

Part 2 (To Be Executed By Individual Responsible For Violation)
Statement of Individual Responsible for Violation: (use reverse side or continuation sheet, if necessary)

Name and Title of Reporting Official (type or print) Signature Date

Part 3 (To Be Executed By Individuals Supervisor)
Estimated time information was without required protection: From: To:
Evaluation of Possibility of compromise: (use reverse side if necessary)
Corrective action to prevent recurrence has been initiated as follows: (use reverse side if necessary)

Name of Supervisor (Type or Print) Signature Date

FOR USE OF SECURITY OFFICE ONLY Valid Violation: Yes No
TD F 15-05.6 (Rev. 06/05). Previous editions obsolete.

Exhibit 10.9.1-5 
(09-30-2008)
Security Violations Inquiry Questions

Identify the information or material involved:

  1. Classification: (Include warning notices and intelligence control markings if any)

  2. Any identification or serial numbers

  3. Date

  4. Originator if known

  5. Original Classification Authority(ies) if known

  6. Derivative Classification Authority

  7. Subject or title

  8. Downgrading and declassification instructions

  9. Number of pages or items of equipment involved

Describe circumstances surrounding the incident: (Provide explanation of contributing factors and names of any persons interviewed).

Identify person(s) responsible: (If any or known).

Identify persons or offices notified, e.g., TIGTA: If TIGTA was notified indicate if they accepted or declined to investigate.

Identify any security weaknesses or vulnerabilities that may have contributed to the incident.

Identify corrective measures take as a result of the incident.

Assess the likelihood of loss or compromise by choosing one of the following statements:

  1. A loss or compromise of classified information did not occur;

  2. A loss or compromise of classified information did not occur; however, a security weakness(es) or vulnerability(ies) was revealed
    due to the failure of a person(s) to comply with Service procedures;

  3. A loss or compromise of classified information may have occurred, but the probability of compromise is remote and the threat
    to national security minimal;

  4. A loss or compromise of classified information may have occurred due to significant systemic security weakness(es) or vulnerability(ies);
    or

  5. A loss or compromise of classified information occurred, and the probability of damage to the national security cannot be
    discounted without further investigation.

Exhibit 10.9.1-6 
(09-30-2008)
Terms and Definitions

Access. The ability and opportunity to obtain knowledge or possession of classified information.
Agency. Agency means any “Executive agency”
, as defined in 5 USC 105, and any other entity within the executive branch that comes into the possession of classified
information.
Authorized Person. A person who has a favorable determination of eligibility, i.e., security clearance, for access to classified information,
has signed an approved nondisclosure agreement, and has a need-to-know for the specific classified information in the performance
of official duties.
Automated Information System (AIS). An assembly of computer hardware, software or firmware configured to collect, create, communicate, compute, disseminate,
process, store or control data or information.
Automatic Declassification. This term means the declassification of information base solely on
a. The occurrence of a specific date or event as determined by an original classification authority; or
b. The expiration of a maximum time frame for duration of classification established under E.O. 12958.
Classification Guidance. This term means any instruction or source that prescribes the classification of specific information.
Classification Guide. A classification guide is a documentary form of classification guidance issued by an original classification authority that
identifies the elements of information regarding a specific subject that must be classified and establishes the level and
duration of classification for each such element.
Classification Management. Classification management seeks to ensure that official information is classified only when required in the interest of national
security and is properly identified and retains the classification assigned only as long as necessary.
Classified National Security Information. This term means information that has been determined pursuant to E.O. 12958 or any predecessor order to require protection
against unauthorized disclosure and is marked to indicate its classified status when in documentary form.
Communications Security (COMSEC). Measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity
of such communications. COMSEC includes crypto security, transmission security, emission security, and physical security of
COMSEC material.
Control. Control means the authority of an agency that originates information, or its successor in function, to regulate access to
the information.
Custodian. The individual or IRS entity who has possession of, or is otherwise charged with the responsibility for safeguarding classified
information.
Declassification. Declassification means the authorized change in the status of information from classified information to unclassified information.
Declassification Authority. Declassification authority means:
a. the official who authorized the original classification, if that official is still serving in the same position;
b. the originators current successor in function;
c. a supervisory official of either; or
d. officials delegated declassification authority in writing by the Secretary of the Treasury or Treasurys SAO.
Declassification Guide. The written instructions issued by a declassification authority that describe the elements of information regarding a specific
subject that maybe declassified and the elements that must remain classified.
Derivative Classification. The incorporating, paraphrasing, restating, or generating, in new form, information that is already classified and marking
the newly developed material consistent with the classification markings that apply to the source information. Derivative
classification includes the classification of information based on classification guidance. The duplication or reproduction
of existing classified information is not derivative classification.
Disclosure. Conveying classified information to another person.
Downgrading. Downgrading means a determination by a declassification authority that information classified and safeguarded at a specified
level shall be classified and safeguarded at a lower level.
Information Security Programs (ISP). ISPs include protective measures to safeguard classified national security information by persons authorized access to such
information under E.O. 12968 and to deny access to unauthorized persons under E.O. 12968. This also includes Department of
the Treasury requirements for access to sensitive but unclassified (SBU) information. SBU information was formerly known as
officially limited information.
Infraction. An infraction is any knowing, willful, or negligent action contrary to the requirements of E.O. 12958 and its implementing
directives that does not comprise a “violation”
.
Industrial Security Program. This program includes that portion of internal security concerned with the protection of classified national security information
made accessible or released to U.S. industry.
Mandatory Declassification Review. The review for declassification of classified information in response to a request for declassification that meets the requirements
for section 3.6, E.O. 12958.
National Security. This term means the national defense or foreign relations of the United States.
Need-to-know. This term means a determination made by an authorized holder of classified information that a prospective recipient requires
access to specific classified information in order to perform or assist in a lawful and authorized governmental function.
Official Information. Information which is owned by, produced for or by, or is subject to the control of the U.S. Government.
Physical Security Programs. These programs include protective measures to safeguard personnel and property and to prevent unauthorized access to information.
Security clearance. A formal certification that an individual (1) has been determined to be eligible for access under section 3.1 of Executive
Order 12968 by agency heads or designated officials, based on a favorable adjudication of an appropriate investigation of
the individuals background; (2) has demonstrated need-for-access and (3) has signed an approved nondisclosure agreement.
A security clearance can be granted at the Top Secret, Secret, or Confidential level. A Top Secret clearance makes an employee
eligible for access to Top Secret, Secret, and Confidential classified information; a Secret clearance to Secret and Confidential;
and a Confidential clearance to Confidential.
Security Violation. The failure to provide a level of protection for classified national defense information, as defined in E.O. 12958, that
would prevent unauthorized disclosure commensurate with the informations level of classification. Per E.O. 12958 security
violations include:
Any knowing, willful, or negligent action that could reasonably be expected to result in an unauthorized disclosure of classified
information;
Any knowing, willful, or negligent action to classify or continue the classification of information contrary to the requirements
of E.O. 12958 and its implementing directives; or
Any knowing, willful, or negligent action to create or continue a special access program contrary to the requirements of this
order.
Senior Agency Official (SAO). The official designated by the agency head under section 5.6(c) of E.O. 12958 to direct and administer the agencys program
under which information is classified, safeguarded, and declassified.
Source document. An existing document that contains classified information that is incorporated, paraphrased, restated, or generated in new
form into a new document.
Transmission. Any movement of classified information from one place to another.
Unauthorized access. When an unauthorized person or persons have access to classified information due to insufficient safeguards to prevent them
from gaining knowledge or possession of the information. This also includes failure to follow prescribed procedures to prevent
such person(s) for gaining access to classified information.
Unauthorized disclosure. This term means a communication or physical transfer of classified information to an unauthorized recipient.

Law Offices of Darrin T. Mish, PA

100 S. Edison Ave. Suite A, PO Box 3414, Tampa, FL 33606 (813) 229-7100
Made with Semiologic Pro • Colorblock-blue skin by Techie Coach